Friday, May 16, 2014

Surespot encrypted messenger celebrates
one year of encrypting image, text and voice messages

When surespot was released just one
year ago, the world was not yet aware of who Edward Snowden was. The
co-founders Cherie and Adam didn't need the coming revelations of
PRISM and DISHFIRE to understand that there was a need for easy to
use, always-on encryption for electronic communications. “Some
people claimed they had nothing to hide to which we would reply, then
send me your bank pin number over text message.” The negative
reaction was telling, we all knew deep down that electronic
communications were not secure and now thanks to Snowden we know why
we felt that way.

To regain that privacy surespot was
created. All image, text and voice messages are encrypted on the
users phone or tablet using 256 bit AES-GCM encryption which is
exceptionally strong. surespot usernames are not identified with
your phone number or email address and you can have multiple
identities on a single device to keep matters separated. Identities
can also exist on multiple devices simultaneously so you can carry on
a conversation on your phone then move to your tablet and in the
future- your desktop. Surespot users must invite other users using
an invitation link or by scanning a QR code instead of pilfering your
contact book and automatically associating you with everyone. This
gives you the opportunity to ignore, block and even delete a
friendship putting you back in control.

Consumer trust has been tested in this
era of security breaches and data mining so the surespot creators
made all of the surespot encrypted messenger code open source. This
way anyone can examine the inner workings and verify that surespot
works exactly the way it claims to and that there are no backdoors.

Surespot is free to use with in-app
purchases unlocking extra features like voice messaging and the soon
to be released encrypted group chat. Cherie and Adam simply ask you
to pay what you like for the service. You can also contribute by
providing code, translating (currently available in French, German,
Spanish, English and Italian) and telling others about this encrypted
replacement for mobile messaging.

“We wanted organic and sustainable
growth so we have relied on our loyal fans to spread the word and in
turn we implement their suggestions and provide personal customer
service. On this anniversary we are happy to announce that 13
million messages have been sent by our 130 000 worldwide users.”

Tuesday, April 8, 2014

TL;DR- change your password & back up your identity, no one was able to read your messages.

Our hosting company is Linode. We use their "NodeBalancer" product for load balancing, which allows for SSL termination, a feature we were taking advantage of. According to Linode, the vulnerability was patched in their NodeBalancers within 4 hours of initial bug reports meaning surespot servers were susceptible to the exploit until then.

Surespot relies upon HTTP sessions secured with SSL, so there was the potential that a session could have been hijacked and allowed the attacker to access the server posing as that user. In this state, the attacker could have performed the attacks described under "Login validation, sessions, and web method access" in the surespot threat analysis found on our website here: https://www.surespot.me/documents/threat.html.

Fortunately, as described in our threat document, these attacks are relatively minor. The encrypted message contents themselves are not vulnerable, as they are end-to-end encrypted and rely on the private key which is stored on your device.

Actions we are taking-

We have deleted all of the current sessions so any sessions that may have been hijacked will no longer be active. Since Linode has patched the bug any new sessions will no longer be vulnerable.

It may be possible that an attacker could have obtained the information needed to login and create a new session. In this unlikely event, to prevent the attacker from creating a new session we recommend changing your password (don't forget to back up your identity again).

We have reissued the SSL certificate.

We wish to reiterate that the contents of your surespot messages were not made vulnerable/readable by this OpenSSL bug.